Working to keep your digital experiences secure

Posts in Category "Product Updates"

When you receive a notification from your computer that it’s time to update your software, do you immediately accept it or do you delay your software update because you’re in the middle of something? If you’re like 64 percent of American, computer-owning adults, you recognize how critical software updates are and update your software immediately. Another 30 percent update their software depending on what the update is for. That’s 94 percent who recognize software updates and at least consider taking action when prompted.

We asked a nationally representative sample of ~2,000 computer-owning adults in the United States about their behaviors and knowledge when it comes to cybersecurity. Interestingly, attitudes toward updating software has changed for the better in the last five years. It seems consumers are more likely to update their software immediately, indicating that updates are becoming easier for consumers to install, and that computer-owning adults are better informed on how and why updating software is so important when trying to protect their identity and devices. While a majority update their software promptly on their computer, 83 percent are equally or more diligent in updating their smartphones than their computers. No matter what type of device you own – computer, tablet or smartphone – it’s critical to keep all your software up to date, as soon as the update is available.

Here are some additional insights from the survey on current practices regarding software updates and also some tips and reminders on why you should be updating your software – no matter the device – regularly.

Keep Your Software Up to Date (It’s Critical)

Across the industry, we continue to see how attackers are finding holes and exploiting software that is not up-to-date. In fact, attackers may target vulnerabilities for months – or even years – long after patches have been made available. Keeping your software up-to-date is a critical part of protecting your devices, online identity and information. The good news is that according to our survey results, 78 percent of consumers recognize the importance of keeping software up-to-date. Among those who typically update their software, 68 percent indicate that both security and crash control are top reasons for updating.

No matter the reason, keeping your software up to date should become a part of your regular routine;

Select automatic updates. When possible, select automatic updates for your software – that way, your devices will automatically update without having to add another item on your to do list.

Select notification reminders. If you prefer to know exactly what updates are being installed, you can set notifications to remind you to update the software yourself. Our survey results show that 1 in 3 people update on the first notification; interestingly, adults of the Baby Boomer generation are most likely to update their software after one prompt while those tech-savvy Millennials are more likely to need 3 to 5 notifications to update software. For all those not updating on the first prompt, we suggest selecting automatic software updates when possible.

Legitimate Software Updates

While a majority of our survey respondents noted that they frequently update their software, there was a very small group that indicated the reason for not updating their software is because they don’t trust that the update is legitimate. If you share this same concern, here are a few tips and reminders to help ensure you are downloading legitimate software:

Set automatic software updates. To help ensure that you are downloading legitimate software, when possible select for your software to be automatically updated. One less thing to do on your end that keeps your computer in check!

Check for the software update directly on the company website. When updates or patches to software are available, companies typically have updates on their website. If you’re unsure about a notification, double check on the software company’s website.

Be wary of notifications via email. Some companies may send notifications of software updates via email. Be cautious with these, as attackers often use fake email messages that may contain viruses that appear to be software updates. If you’re unsure about the software updates you receive as an email, check the company’s website to download the latest patches. And don’t fall victim to phishing ploys! See our blog post on tips for recognizing phishing emails.

Staying One Step Ahead

The technology industry is consistently moving forward and the task of updating software should continue to progress and be made as simple as possible for users. Especially since the majority of exploits appear to target software installations that are not up-to-date on the latest security updates. Adobe strongly recommends that users install security updates as soon as they are available. Or better yet, select the option to allow updates automatically which will install updates automatically in the background without requiring further user action.

Now available for free on the Apple App Store and the Android Market, Adobe Reader 10.1 brings to your favorite mobile devices the same best-in-class PDF viewing experience you’re used to on the desktop. This latest release is our first for iOS devices, and shows Adobe’s commitment to provide the most compelling mobile experiences on the most popular platforms. With each new version, Adobe is bringing to mobile those capabilities that users on the go find most important, like text search, easy page navigation, bookmarks, and printing.

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device. Continue reading…

As discussed earlier on this blog, the Adobe Approved Trust List (AATL) has been updated to remove the DigiNotar Qualified CA root certificate. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL. Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button. Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

A future product update of Adobe Reader and Acrobat version 9.x will enable dynamic updates of the AATL. In the meantime, users of Adobe Reader and Acrobat 9 can manually remove the DigiNotar Qualified CA using instructions provided in the blog post.

Also note that the Dutch government has published a document regarding the impact of the removal on signed PDFs. That document (in Dutch and English) can be found at the links below:

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services. The full extent of the attack is still not clear.

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions. The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security. (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

Adobe’s history is one of not only inventing and adapting amazing technology, but also making those same innovations easy to use. Over ten years ago, we took the complex world of public key infrastructure (PKI) & digital certificates, and in turn, made digital signing a one-click process on a PDF within Acrobat and Reader on your PC or Mac. So it naturally follows that yesterday Adobe continued this trend towards great technology made simple and announced that it had acquired leading electronic signature provider EchoSign.

EchoSign offers an easy-to-use, yet fully-featured, electronic signature service that allows users, from individuals to large enterprises, to easily upload documents, set up a signing workflow, and have recipients sign with a simple click-through process.

Just last night, we announced the availability of updates to both Adobe Acrobat and Reader, bringing them up to version 10.1. Along with a significant list of vulnerability mitigations, these updates also bring with them substantial changes to the secure operation of Acrobat on Windows, and to the digital signature functionality across platforms.

First, Acrobat 10.1 on Windows now features the same Protected Mode operation as Adobe Reader X, protecting users from malicious PDFs. Additional information on Acrobat’s implementation of sandboxing is available on the Adobe Secure Software Engineering Team’s (ASSET) blog. For those savvy in digital signatures, note that Protected Mode (on both Acrobat and Reader) may impair the installation of PKCS#11-based tokens. Refer to the simple instructions here for a workaround.

And if you’re like me and love the nitty-gritty details of digital signatures, you’ll probably appreciate the other signature-specific changes in 10.1…

Today, Adobe pushed out yet another update to its certificate trust program implemented in Adobe Reader and Acrobat. The AATL program, launched in 2009, makes it easier for users to view and rely on digitally signed PDFs by automatically displaying a green checkmark for those signature credentials which meet higher assurance requirements when opened in Reader and Acrobat 9 and X.

I participated in a panel session this week at the Cloud Computing Summit in Washington D.C. sponsored by the 1105 Government Information Group. Over the course of the day, there was a healthy debate being waged about exactly when and how government agencies should deploy cloud applications. Some postulated that the cloud was merely a marketing term for hosted services that had been around for years, while others believed that significant technology advances such as virtualization make today’s cloud computing deployments something altogether different and more valuable. One area that lacked any debate was that the number one area of concern for both commercial and government customers regarding cloud deployments is security. Part of this debate focuses on whether or not applications that housed PII or other highly sensitive information should ever be deployed in a cloud infrastructure due to the assumed lack of control. This topic triggered some thoughts about another way security and the cloud are coming together quickly today: deploying Enterprise security software in the cloud as a managed service.

Perhaps we’ll coin the term R-MaaS for now, Rights Management As A Service. There are many layers of security that needs to be built into a cloud infrastructure, from physical security, to access controls, firewalls, and even encryption for archived data at rest. But this concept is using the power of the cloud to actually deploy security tools such as LiveCycle Rights Management, which provides persistent document protection regardless of whether the recipient is internal or ecternal to the organization, regardless of the document type (PDF, CAD, or Microsoft Office) and regardless of where the documents ultimately travel (at rest in storage or file systems, in motion over email or to the web, or in use on laptops or removable media devices). LiveCycle Rights Management as a Managed Service has already garnered a lot of interest as all of the features available on premise are also available in the cloud. This includes the ability to protect documents both inside and outside the firewall via free, widely available Adobe Reader for PDF, support for strong user authentication including VPN access for internal employees and a variety of PKI based authentication mechanisms for identity federation across organizations. As well as the ability to expire or dynamically revoke documents, link users automatically to the latest versions, or even provide anonymous access to particular documents as a way to track how documents are being consumed.

Some of these capabilities customers have been using since 2003, but now in 2010, we have added this new deployment option that not only brings rights management to the cloud, it’s actually rights management in the cloud. LiveCycle Managed Services is our new cloud deployment option for LiveCycle that allows customers to deploy software in a simple annual subscription pricing model that includes all hardware, software, maintenance, upgrades, and 24/7 monitoring of the system. We still work with a customer’s internal IT and security resources to help build out the appropriate security policies, but the mundane tasks of maintenance and upgrades are performed by Adobe. Besides all the benefits that come with a fully managed service, deployments times can be accelerated from weeks down to a couple of days or less. This allows you to get the application up and protecting documents quickly for the business without the costly delays associated with approvals, hardware and software procurement, and installation.

Now getting back to the original concerns at this week’s conference about relinquishing control of sensitive information to the cloud…. Where LiveCycle Rights Management deployed as a Managed Service circumvents these objections is through an elegant architecture that is absent the need to ever house sensitive documents in the cloud itself. In fact, only the document policies and associated keys are stored in the cloud, the documents remain in the organization’s datacenter, within their control. Keys are passed back and forth from the Rights Management server sitting in the cloud to allow user access based on the document policies. So what started as an interesting philosophical discussion about whether or not applications which transact sensitive information should leverage a cloud computing architecture, ends with the notion that some of these concerns can actually be mitigated by none other than, the cloud.